CN102025741A - Trusted identity service platform with two-layer framework and construction method thereof - Google Patents
Trusted identity service platform with two-layer framework and construction method thereof Download PDFInfo
- Publication number
- CN102025741A CN102025741A CN2010105882221A CN201010588222A CN102025741A CN 102025741 A CN102025741 A CN 102025741A CN 2010105882221 A CN2010105882221 A CN 2010105882221A CN 201010588222 A CN201010588222 A CN 201010588222A CN 102025741 A CN102025741 A CN 102025741A
- Authority
- CN
- China
- Prior art keywords
- user
- identity
- account management
- identification card
- management system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a trusted identity service platform with a two-layer framework and a construction method thereof, which belongs to the field of a computer technology and information security. The method comprises the following steps: 1) building a business account management system, and generating an account identifier for a registered business user; building a network identity card system and generating a real identity identifier for a registered real user; 2) registering the business account management system to the network identity card system and obtaining a system identifier; 3) binding the registered business account with the real identity of the registered user according to the system identifier; and 4) changing the state of the bound user into a bound state by the business account management system. The platform comprises one network identity card system and one or more business account management systems, wherein the network identity card system is connected with the business account management system through the network. Through the invention, convenience in user management is provided under the novel network environment, and the security of the network is guaranteed at the same time.
Description
Technical field
The invention belongs to computer technology and information security field, relate to a kind of trusted identity service platform and construction method thereof of two-tier system.
Background technology
For a long time, under second generation internet, applications environment, IT industry is software intensive too much still, hardware or system platform, the service provider satisfies calculating the demand of storage resources by the form of large server and terminal cluster, information resources are cut apart on different terminal nodes, and the Internet also is the instrument as information interchange.And along with grid, Web Service, Ipv6 etc. continue to bring out for the new technology of representative, make people see the hope that online all information resources are combined together, but because some technical obstacles and non-technical factor, as policy factor, business model, the conflict of interests etc. cause the realization of information integral to have a lot of difficult problems.Recently, along with the rise of cloud computing technology, mobile 3G popularizes, the fusion of Internet2 and NGN, and the proposition of Internet of Things makes large-scale cooperation between the information node, the interoperability between the information system, the integrated possibility that becomes of information platform.At information security field, ensure the authenticity of cyberspace information, strictness control is carried out in the network criminal offence, protecting network user's privacy is inviolable, and need set up a network trust system that is enclosed within the new-type network environment.
Under the new network environment, owing to information all concentrates in the Internet, platform, computational resource, storage resources can customize from the Internet with the form of service, and local terminal function will be simpler, and computing capability and storage capacity will be more weak also.User's all applied business and data resource all will be transplanted on the network, but the network service of numerous types may belong to different service providers, will make the data and the resource of user management oneself become complicated.So be necessary to set up a cover sophisticated service number of the account management system, help the user that the miscellaneous service account of oneself is managed
From the angle of safety, the harm that the virtual property of network identity is brought is serious problems that exist in the network application always.In the Internet model in the past, the security requirements of user real identification and the supervision of virtual identity require to exist as contradiction always.Under the new-type network system, because more more important information and data information can incorporate network, the responsibility that makes network bear is also more important, and is same, the consequence that the network accident causes will be more serious also, in addition for the enterprises and individuals will bringing on a disaster property strike.Therefore, strengthen the supervision to the network user, it is necessary fully setting up the good tracing system of responsibility afterwards.
Summary of the invention:
At the problems referred to above, the present invention proposes a kind of trusted identity service platform and construction method thereof of two-tier system, in order to the convenience of user management to be provided, ensure the fail safe of network simultaneously under the new network environment.The present invention provides unified identity management services for all application of user; can strengthen network supervision more easily in conjunction with user's true identity, and for concrete business; then shine upon independent account working, protect user's privacy as virtual identity for the user.
This platform is to propose in conjunction with the deficiency that exists in the characteristics of new network environment and the current network business model, and it comprises network identification card system and professional number of the account management system.Professional number of the account management system is specially at various Internet services, can carry out seamless combination by configuration and concrete operation system, manage the accounts information of operation system separately, simultaneously again that the business processing logic of operation system is independent, make its processing procedure more clear, realize convenient.The network identification card system is used for the true identity of leading subscriber, be equivalent to the identity card in the network, be used for carrying out network supervision, responsibility carried out in the unlawful practice that occurs in the network follow the trail of, ensure that the legitimate interests of the network user and network provider are inviolable.Implementation framework is except the identity management system of two-layer different level of securitys, also the identity between the two is bound, be used for guaranteeing when user's true identity is not obtained by concrete professional number of the account system, user's professional number of the account is tied to real digital identity.
First: platform is formed
Platform of the present invention is made up of the professional number of the account management system of subordinate and higher level's network identification card system.Professional number of the account management system mainly realizes traditional identity management function for the operation system that the service provider sets up provides identity management services; All users' true identity in the network identification card system management territory, and the binding relationship of customer service account and true identity are for genuine cyber identification provides service.Because a large amount of deceptive information has brought a lot of inconvenience for people's normal life in the network at present, especially network defraud crime miscellaneous is huge threat and the hidden danger of Network development especially, strengthen network supervision, setting up Real-name Registration is the effective way that addresses this problem.But on the other hand,, user's individual privacy is submitted to the enterprise that accomplishes the object of profit making, cause most of user that Real-name Registration is produced conflict and discontented because genuine cyber identification is mainly realized by some service suppliers at present.Network identification card system among the present invention is disposed and is controlled by power department or its associated agency, such as school, and mass organizations or enterprise etc.Ability is inquired about user's true identity when the network accident taking place need carry out the responsibility tracking, and professional number of the account management system then can not obtain user's true identity, thus protection user's personal secrets.
Can comprise a network identification card system and a plurality of professional number of the account management system in the platform of the present invention.Professional number of the account management system need be registered in the network identification card system, just can its number of the account be tied to user's true identity in subsequent process.Professional number of the account management system function is identical with identity management function in the traditional business, and in addition, it also comprises an identity binding interactive module, is used for the binding procedure of realization system user account and its true identity.The network identification card system comprises an identity binding interactive module equally, is used for the execution of identity binding process.The network identification card system also comprises the operation system Registering modules, true administration module and identity binding relational query module.The function of these four modules is as follows:
1) operation system Registering modules: professional number of the account management system is registered among this network identification card system, for it issues system's unique identification.After registration, can the user be tied to his true identity in the account of professional number of the account management system by the identity binding process.
2) true identity administration module: accept the register requirement of user real identification, perhaps the true identity to user in the system increases, deletes, changes, looks into operation.
3) identity binding relational query module: the true identity that can search account correspondence according to the professional number of the account management system account of being registered in the system; Also can search all professional number of the account management systems of this user registration and corresponding account in these systems by user real identification.
Second portion: identity binding process
The identity binding process is responsible for professional number of the account management system and network identification card system are combined, and user's professional number of the account and true identity are bound, and guarantees that simultaneously user's true identity information is invisible in professional number of the account management system.To provide the implementation of two kinds of identity binding processes among the present invention below, and the prerequisite that both realize all is that professional number of the account management system must be carried out registration in the network identification card system, and the network identification card system knows the number of the account of new registration is from which concrete professional number of the account management system in the time of can guaranteeing to bind like this.
Identity binding scheme based on credible mailing system:
This scheme guarantees the correctness of identity binding process by the credible mailing system of an outside, for the interactive information between professional number of the account management system and the network identification card system, guarantee that by digital signature message is not distorted, and in critical message the joining day factor, prevent that the assailant from resetting.The identity binding process of this scheme can be expressed as follows:
1. the user sends the request message of binding identity to the identity binding interactive module of professional number of the account management system, should comprise own true identity unique identification of registering in the network identification card system and the account unique identification of registering in professional number of the account management system in the message;
2. whether the identity binding interactive module checking account of professional number of the account management system exists, after checking is passed through, send a message to the identity binding interactive module of network identification card system, message content comprises: system's unique identification that this business number of the account management system is registered in the network identification card system, the true identity unique identification that the user submits in the message 1, the accidental validation sign indicating number that native system is selected carries out digital signature with own private key to first three field, and the joining day factor;
3. the identity binding interactive module of network identification card system reads the public key certificate of corresponding professional number of the account management system according to system's unique identification in the message of step 2, verify the correctness of signing in the message 2, title and the accidental validation sign indicating number in step 2 message with professional number of the account management system sends to the credible e-mail address of user in the network identification card system registry then;
4. the user logins the mailbox of oneself, obtain professional number of the account management system title and accidental validation sign indicating number, the accidental validation sign indicating number is submitted to professional number of the account management system, and the professional number of the account management system title here is used to distinguish concrete professional number of the account management system when the user registers a plurality of account working;
5. whether professional number of the account management system is successful according to the correctness and the ageing decision identity binding of accidental validation sign indicating number, if success, then the identity binding interactive module to the network identification card system sends message, message content comprises: the operation system unique identification, customer service account unique identification, the user real identification unique identification, and with the digital signature of professional number of the account management system private key to first three field;
6. the identity binding interactive module of network identification card system receives the correctness of certifying signature after the message that step 5 sends, if be proved to be successful, then the mapping relations with true identity and account working are saved in the database, and send the identity binding success message to the identity binding interactive module of professional number of the account management system;
7. the identity binding interactive module of professional number of the account management system receives after the identity binding success message, the state of user account changed into bind, and finishes the identity binding process.
The real e-mail address of registering in the true identity system by the user in this scheme guarantees the correctness that account working is related with true identity, if the invador will use others' identity to register account working, he must know the identify label of this user in the true identity system, the corresponding e-mail address and the password of Email correspondence, this fail safe is available for most of system of current existence.Can also limit employed mailing system in the network identification card system registry process, improve the fail safe that the fail safe of specifying mailing system guarantees identity management system.
Identity binding scheme based on twice login:
This programme lands once professional number of the account management system respectively and the network identification card system binds its account working and true identity by the user at same browser client.The channel that transmits will be protected with SSL (SSL technology), prevents that privacy message from being read by other people, will sign with digital certificate simultaneously, guarantees that message is not distorted.Critical message will be stabbed the joining day, is used for resisting Replay Attack.Concrete identity binding scheme can be described below:
1. the user sends the identity binding request message by browser to the identity binding interactive module of professional number of the account management system, comprises the unique identification of user in this business number of the account management system account in the message.
2. whether the account that the account unique identification is identified in professional number of the account management system verification step 1 message exists, if exist, then return messages are to user browser, message content comprises: the account unique identification in step 1 message, this business number of the account management system is at system's unique identification of network identification card system registry, current time, and utilize the digital signature of this business number of the account management system private key to these three fields;
3. the user is by same browser logging in network identity card system, its true identity unique identification in the network identification card system registry is sent to the identity binding interactive module, and simultaneously the message content in the step 2 is also thought highly of the network identification card system that is directed to viewed;
4. the network identification card system determines according to the time in step 2 message whether this message is effective, if effectively, reads the public key certificate of professional number of the account management system according to system's unique identification, verifies the correctness of its signature.If be proved to be successful, then account working unique identification and the true identity uniquely identified mapping relations with the user are saved in database, and sending message to the identity binding interactive module of professional number of the account management system, message content comprises user's account working unique identification and utilizes network identification card system private key to this uniquely identified signature;
5. professional number of the account management system is received after the message, utilizes the correctness of the public key certificate certifying signature of network identification card system, then the account status of account unique identification correspondence is changed into if the verification passes and binding, and this identity binding process finishes.
Compared with prior art, good effect of the present invention is:
Use two-layer identity management system framework, the number of the account management and the real identity information management of concrete business are separated, realize the flexibility configuration of network supervision.Existing identity management services system, mostly the service object is concrete service application, identity number of the account wherein is virtual, does not possess the characteristic of supervision afterwards.And, then realize single Real-name Registration for specific supervision demand.The system of Shi Xianing all can not get ensureing in fail safe and flexibility like this.The present invention then provides a kind of loose coupling, configurable security solution.Professional number of the account management system is responsible for the management of number of the account in the concrete business specially, does not relate to user's true identity information, does not influence user's secret protection; The mapping relations of the true identity information of network identification card System Management User and this true identity information and customer service number of the account satisfy the security control characteristic, and the access threshold of supervision service simultaneously can be established higherly, in order to protection user's personal secrets.
In addition, because the particularity of system architecture among the present invention needs the safe binding flow process of a cover to finish the binding of customer service number of the account and its true identity information.But two cover reference example have been provided among the present invention.The binding procedure of these two examples is simple, and respectively by credible mailing system or Sign Policies and safe lane protection, guarantees to carry out the fail safe of flow process.
Description of drawings
Fig. 1 trusted identity service platform of the present invention structural representation;
Fig. 2 trusted identity service platform of the present invention deployment diagram;
Fig. 3 identity binding process scheme one schematic diagram;
Fig. 4 identity binding process scheme two schematic diagrames.
Embodiment:
To come below that the present invention will be further described by embodiment particularly.
The present invention considers that from the supervision of new network environment lower network and two aspects of privacy of user protection set up a trusted identity service platform, it can also provide the Unified Identity management function.Strengthen network supervision; set up a believable network environment; to stablize the believable network platform be the key issue that future network is used and administrative institute must solve for the network user provides one; the essential method of head it off is set up Real-name Registration exactly; yet the enforcement of Real-name Registration may cause very big challenge to user's secret protection, set up the personal secrets that Real-name Registration at first will ensure the user.Unified Identity management can adapt to service set customization in the new network environment, and uniform data management ground characteristics are for the custom service account management of user's complexity in the new network provides convenience greatly.The platform that the present invention built: as previously described, one is the professional number of the account management system layer towards concrete account working management, and another is the network identification card system layer of network-oriented supervision and Unified Identity management.In addition, between professional number of the account management system layer and the network identification card system layer the identity binding process also be comprise among the present invention ground important content, it can effectively protect user's privacy not revealed.
Present embodiment designs according to summary of the invention, and platform mainly comprises a managing network identities server, one or more service account management server; The managing network identities server is connected by network with the service account management server; The managing network identities server comprises a network identification card system, and the service account management server comprises one or more service account management systems.Double-deck identity management system comprises professional number of the account management system BusiIdMgr and the RealIdMgr of network identification card system, and the identity binding process is designated as MappingProcess between the two.In the present embodiment, we to set application scenarios be a School of school and a Network books ordering system BookReader.Wherein preceding two parts will be introduced according to the difference in functionality module, and the identity binding process then is introduced according to implementation.
(1) double-deck Identity Management implementation system
Professional number of the account management system BusiIdMgr in the double-deck Identity Management implementation system, the Identity Management task of the service application BookReader system that disposes in the mainly responsible network.Only set business of BookReader in the present embodiment,, just can be the unified professional number of the account management system of these business configuration if multi-service is arranged and use identical access control policy.BusiIdMgr provides interface, can combine with business application system BookReader, also can combine with RealIdMgr by MappingProcess easily simultaneously.Its structure mainly comprises basic Identity Management module, system information configuration module and user identity binding interactive module:
Basic Identity Management module: mainly be responsible for the identity registration and the identity management function of the professional elemental user of BookReader, the function of this module is consistent with Identity Management module in the traditional business system.
The system information configuration module: this module mainly is responsible for some information configuration functions of professional number of the account management server itself, the domain name that mainly comprises configuration service number of the account management server, the system banner that after the network identification card system registry, obtains, the public key certificate of the private key of native system and network identification card system etc.
The user identity binding interactive module: this module mainly is responsible for the user identity binding module of the RealIdMgr of network identification card system mutual, the account in the system is tied to user's true identity.
The BusiIdMgr system is responsible for disposing and management by BookReader service management person, the BusiIdMgr system that disposes need register in the RealIdMgr of network identification card system, obtain the public key certificate of a system banner and RealIdMgr, with system banner, the Url address of public key certificate and RealIdMgr system is configured by the system information configuration module then.After configuration was finished, the account of new registration can be bound by the true identity among identity binding process and the RealIdMgr in the system.
The effect that double-deck Identity Management is implemented the RealIdMgr of network identification card system in the platform is the true identity of user in the management School territory.The true identity here refers to the digital identity that the real-life identity of user is shone upon in the Internet, can find people in unique real world by the digital identity of user in network.In the present embodiment, realize this mapping by user's identification card number.The module that the RealIdMgr internal system comprises mainly contains the operation system Registering modules, the true identity Registering modules, and the true identity administration module, identity binding relational query module and identity binding interactive module, the function of each several part specifically describes as follows:
Operation system Registering modules: mainly be responsible for providing the registering functional of professional number of the account management system in RealIdMgr.Because RealIdMgr is in charge of the binding relationship of account in a plurality of professional number of the account management systems, each concrete professional number of the account management system must be registered in RealIdMgr earlier can carry out follow-up identity binding process.During registration, professional number of the account management system need be submitted the domain information under it, Url address, the digital identity certificate that credible CA issues and the title of operation system to.The operation system Registering modules of RealIdMgr is carried out registration process, after succeeding in registration, returns unique system banner.
The true identity Registering modules: this module mainly is responsible for providing the true identity registration service of all users in the School territory.When registering, the user need submit individual's identification card number to, real pictures, real informations such as work unit.If the user does not register the true identity of oneself, in operation system, just can't carry out identity binding in the login account, thereby influence the visit of concrete business function.
The true identity administration module: this module is system manager's service of RealIdMgr.The keeper can increase, deletes, changes, look into operation to intrasystem true identity by this module of visit, also can be used for login authentication to enhance system security for the user issues letter of identity.
Identity binding relational query module: this module is the responsibility tracing process of network-oriented supervision and network accident.After the generation problem, the system manager with specified permission can inquire about the true identity of certain account correspondence in the concrete professional number of the account management system by this module.The user also can check own all account working information of being registered by this module.
The identity binding interactive module: this module is responsible for mutual with the identity binding module of professional number of the account management system, user's account working is tied to the true identity of RealIdMgr, and guarantees that in binding procedure this user's true identity do not obtained by professional number of the account management system.
(2) identity binding process
Identity binding process MappingProcess major function is to realize the process of binding between the user real identification in the account and RealIdMgr system in the BusiIdMgr system.Two kinds of different identity binding schemes that the front proposed in according to the present invention, present embodiment also will be introduced the implementation of two kinds of corresponding M appingProcess:
Implementation one: realize the identity binding process by the believable e-mail system in outside.Because different implementations is slightly different to the designing requirement of RealIdMgr and BusiIdMgr system, so before introducing binding flow process implementation procedure, the precondition that explanation earlier realizes.The prerequisite of implementation one is as follows:
1. one or more believable Outside Mail system must be provided, and the user that be registered to the RealIdMgr system at first must be at e-mail address of believable Outside Mail system registry.
2. the user must submit the credible e-mail address of registration in RealIdMgr system registry account.
3.BusiIdMgr system registers in the RealIdMgr system.
The identity binding process is as follows:
1. the user initiates identity binding request message Msg1 by browser client to the identity binding interactive module of BusiIdMgr, and message format can be expressed as:
Msg1={BusiAccount,UserID}
Message content comprises:
BusiAccount: the user is at the account unique identification of BusiIdMgr registration;
UserID: the user is in unique identify label of RealIdMgr registration;
2.BusiIdMgr the identity binding interactive module send message Msg2 to the identity binding interactive module of RealIdMgr, identity binding is carried out in request, the Msg2 message format is as follows:
Msg2={SystemID,UserID,CCode,Sign}
Message content comprises:
The system banner that SystemID:BusiIdMgr registers in RealIdMgr;
UserID: the user is in unique identify label of RealIdMgr registration;
The accidental validation sign indicating number that CCode:BusiIdMgr selects;
Sign:BusiIdMgr uses the private key of oneself to SystemID, UserID, the digital signature of CCode;
3.RealIdMgr, verify the correctness that Sign signs according to the digital certificate that SystemID obtains the BusiIdMgr system.Check then whether user UserID exists, do not have that then directly to send message informing BusiIdMgr identity binding unsuccessful; If UserID exists, then search the credible e-mail address of its registration, send an envelope mail to this address, mail can be expressed as message Msg3:
Msg3={SystemName,CCode}
Message content wherein comprises:
SystemName: the BusiIdMgr systematic name of obtaining according to SystemID;
The accidental validation sign indicating number that CCode:BusiIdMgr selects;
4. the user logins the mailbox of oneself, obtains the identifying code CCode that the BusiidMgr system is selected, and by browser, sends message Msg4 to the BusiIdMgr system, and message format is as follows:
Msg4={BusiAccount,CCode}
Message content comprises:
BusiAccount: the user is at the account unique identification of BusiIdMgr registration;
The accidental validation sign indicating number that CCode:BusiIdMgr selects;
5.BusiIdMgr if the correctness of system verification CCode incorrect, illustrates the identity binding procedure failure, if correct, then sends the identity binding interactive module of message Msg5 to the RealIdMgr system, the Msg5 message format is as follows:
Msg5={SystemID,BusiAccount,UserID,Sign2}
Message content comprises:
The system banner that SystemID:BusiIdMgr registers in RealIdMgr;
BusiAccount: the user is at the account unique identification of BusiIdMgr registration;
UserID: the user is in unique identify label of RealIdMgr registration;
Sign2:BusiIdMgr uses the private key of oneself to SystemID, BusiAccount, the digital signature of UserID;
6.RealIdMgr system identity binding interactive module reads the digital certificate of BusiIdMgr system according to SystemID, the correctness of checking Sign2 signature, if incorrect being left intact, if signature is correct, then with BusiAccount, UserID is saved in the database table of BusiIdMgr correspondence, sends the successful affirmation message MsgOk of binding to BusiIdMgr identity binding interactive module.
So far, MappingProcess finishes based on the implementation of credible e-mail system, and the identity binding process finishes.
Implementation two: this mode realizes among the BusiIdMgr binding procedure of true identity in the business identity and RealIdMgr by carrying out twice login, and the precondition of realization is as follows:
1.BusiIdMgr system registers in the RealIdMgr system, has obtained unique system banner SystemID;
2.BusiIdMgr between system identity binding module and the RealIdMgr system identity binding module, and the message between they and the browser is transmitted channel and all pass through SSL and protect.
The identity binding process is as follows:
1. the user sends identity binding request message Msg1 by browser to the identity binding interactive module of BusiIdMgr system, and message format is as follows:
Msg1={BusiAccount}
Message content comprises:
BusiAccount: the user is at the account unique identification of BusiIdMgr registration;
2.BusiIdMgr system identity binding interactive module checks whether the account of BusiAccount correspondence exists, if exist, then sends message Msg2 to browser, message format is as follows:
Msg2={BusiAccount,SystemID,Time,Sign}
Message content comprises:
BusiAccount: the user is at the account unique identification of BusiIdMgr registration;
SystemID:BusiIdMgr registers the unique system banner that obtains in the RealIdMgr system;
Time: current time;
The Sign:BusiIdMgr system utilizes the private key of oneself to BusiAccount, SystemID, the digital signature that Time realizes;
3. browser receives in the step 2 after the message Msg2, be redirected to RealIdMgr system log-in interface, this moment, the user utilized true identity login RealIdMgr system, and to RealIdMgr system identity binding interactive module, message format is as follows with pass-along message Msg3 for browser:
Msg3={Msg2,UserID}={BusiAccount,SystemID,Time,Sign,UserID}
Message content comprises:
BusiAccount: the user is at the account unique identification of BusiIdMgr registration;
SystemID:BusiIdMgr registers the unique system banner that obtains in the RealIdMgr system;
Time: the time T ime that transmits among the message Msg2 of step 2;
The Sign:BusiIdMgr system utilizes the private key of oneself to BusiAccount, SystemID, the digital signature that Time realizes;
UserID: the identify label of user in the RealIdMgr system;
4. if the user logins the RealIdMgr thrashing in the step 3, then RealIdMgr is left intact, the failure of expression identity binding; If login successfully, whether the RealIdMgr system is effective according to the message in the Time field determining step 3, if passed through the term of validity, and the identity binding failure; Otherwise read the correctness of the public key certificate checking Sign signature of BusiIdMgr system according to SystemID, if signature is correct, UserID and BusiAccount are saved in the database table of BusiIdMgr correspondence, and the identity binding interactive module identity binding that sends message Msg4 notice BusiIdMgr system is successful, and the message format of Msg4 is as follows:
Msg4={BusiAccount,Sign2}
Message content comprises:
BusiAccount: the user is at the account unique identification of BusiIdMgr registration;
The Sign2:RealIdMgr system utilizes the digital signature of own private key to BusiAccount;
5.BusiIdMgr whether system utilizes the public key certificate certifying signature Sign2 of RealIdMgr correct, if incorrect, explanation is that dummy message is left intact; If signature is correct, the state of BusiAccount is changed into bind.
So far, MappingProcess finishes based on the identity binding process of the implementation of twice login.
Claims (10)
1. the trusted identity service platform construction method of a two-tier system the steps include:
1) sets up a service account management system, be used for the service account management server and receive the log-on message of user, and generate account's unique identification for the user Network; Set up a network identification card system, be used for the true identity information that the network identification card system server receives the user, and generate a true identity unique identification for the user;
2) described service account management system is registered to described network identification card system, obtains system's unique identification of this service account management system;
3), the user real identification of registering in the activity account registered in this service account management system and the described network identification card system is bound according to system's unique identification of this service account management system; Wherein, the user real identification in the system of network identification card described in the binding procedure is invisible in professional number of the account management system;
4) this service account management system the state of user bound change into and binding.
2. the method for claim 1 is characterized in that the method that the user real identification of the activity account that will register in this service account management system and described network identification card system registry is bound is:
1) user sends the request message of binding identity to this business number of the account management system, and wherein request message comprises described true identity unique identification, account unique identification;
2) after this business number of the account management system is passed through this user rs authentication, send binding message to the network identification card system; Wherein this message comprises: the accidental validation sign indicating number of this business number of the account management system and system's unique identification, described true identity unique identification, and this message is carried out digital signature with own private key, and the joining day factor;
3) in this binding message of network identification card system verification signature correct after, the title and the described accidental validation sign indicating number of this business number of the account management system sent to the credible e-mail address of this user in the network identification card system registry;
4) after this user obtains this business number of the account management system title and described accidental validation sign indicating number, this accidental validation sign indicating number is submitted to this business number of the account management system;
5) this business number of the account management system verifies whether successfully the correctness of this accidental validation sign indicating number and ageing determining one's identity bind, if success, then send message to described network identification card system, this message content comprises: described system unique identification, this user's account unique identification, true identity unique identification, and the digital signature of this message content;
6) described network identification card system receives 5) send out after the message, the correctness of certifying signature, if be proved to be successful, then this user's the true identity and the mapping relations of account working be saved in the database, and send the identity binding success message to this business number of the account management system;
7) after this business number of the account management system is received this identity binding success message, the state of this user account changed into bind.
3. the method for claim 1, the method that the user real identification that it is characterized in that registering in the activity account that will register in this service account management system and the described network identification card system is bound is:
1) user sends the identity binding request message by browser to this business number of the account management system, and wherein request message comprises described account unique identification;
2) after this business number of the account management system is passed through this user rs authentication, then return messages are to this user browser, these return messages comprise: described account unique identification, described system unique identification, current time, and utilize the digital signature of this business number of the account management system private key to this return messages content;
3) this user logins described network identification card system by same browser, and its true identity unique identification is sent to described network identification card system;
4) described network identification card system determines according to the current time in these return messages whether these return messages are effective, if effectively, then verifies the correctness of described digital signature; Account unique identification and true identity uniquely identified mapping relations with this user after being proved to be successful are saved in database, and sending message to this business number of the account management system, this message content comprises this user's account unique identification and described network identification card system to this number of the account uniquely identified signature;
5) checking of this business number of the account management system 4) message of sending out, verify by after the account status of this user's account unique identification correspondence changed into bind.
4. as claim 2 or 3 described methods, it is characterized in that described network identification card system also comprises a true identity administration module and an enquiry module; Wherein, described true identity administration module is used for the intrasystem true identity of described network identification card is safeguarded that described enquiry module is used for the intrasystem true identity of described network identification card is inquired about.
5. the trustable network service platform of a two-tier system is characterized in that comprising a network identification card system, one or more service account management system; Described network identification card system is connected by network with described service account management system;
Wherein, described network identification card system comprises: operation system Registering modules, true identity Registering modules, true identity administration module, identity binding relational query module, identity binding interactive module;
Described operation system Registering modules is used for providing described professional number of the account management system to register in described network identification card system;
Described true identity Registering modules is used to provide user's true identity registration service;
Described true identity administration module is used for the intrasystem true identity of described network identification card is safeguarded;
Described identity binding relational query module is used for the intrasystem true identity of described network identification card is inquired about;
Described identity binding interactive module is used for the identity binding interactive module of described professional number of the account management system alternately, user's account working is tied to the true identity of registering in the described network identification card system; Wherein, the user real identification in the system of network identification card described in the binding procedure is invisible in professional number of the account management system;
Wherein, described service account management system comprises: basic Identity Management module, system information configuration module, user identity binding interactive module;
Described basic Identity Management module is used for the identity registration and the Identity Management of service-user;
Described system information configuration module is used for the information configuration of professional number of the account management server itself;
Described user identity binding interactive module is used for the user identity binding interactive module of described network identification card system alternately, user's account working is tied to the true identity of registering in the described network identification card system; Wherein, the user real identification in the system of network identification card described in the binding procedure is invisible in professional number of the account management system.
6. platform as claimed in claim 5 is characterized in that described information configuration comprises: the public key certificate of the system banner that the domain name of service account management server, service account management server obtain after the network identification card system registry, the private key of service account management server system and network identification card system.
7. platform as claimed in claim 6 is characterized in that described service account management system is carried out digital signature to the transmission data and the joining day stamp carries out data protection.
8. as claim 5 or 6 or 7 described platforms, it is characterized in that an outside credible mailing system that two described user identity binding interactive module provide by the user is tied to user's account working the true identity of registering in the described network identification card system.
9. as claim 5 or 6 or 7 described platforms, it is characterized in that two described user identity binding interactive module land described network identification card system and described service account management system by the user respectively in same client, user's account working is tied to the true identity of registering in the described network identification card system.
10. method as claimed in claim 9 is characterized in that the communication channel of described client and described network identification card system, described service account management system adopts SSL to protect.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010588222 CN102025741B (en) | 2010-12-07 | 2010-12-07 | Trusted identity service platform with two-layer framework and construction method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010588222 CN102025741B (en) | 2010-12-07 | 2010-12-07 | Trusted identity service platform with two-layer framework and construction method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025741A true CN102025741A (en) | 2011-04-20 |
| CN102025741B CN102025741B (en) | 2013-06-05 |
Family
ID=43866595
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010588222 Expired - Fee Related CN102025741B (en) | 2010-12-07 | 2010-12-07 | Trusted identity service platform with two-layer framework and construction method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025741B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611705A (en) * | 2012-03-20 | 2012-07-25 | 广东电子工业研究院有限公司 | General calculation account management system and realization method thereof |
| CN102891832A (en) * | 2011-07-20 | 2013-01-23 | 腾讯科技(深圳)有限公司 | ID (Identity) binding method and system |
| CN105654386A (en) * | 2016-01-07 | 2016-06-08 | 深圳市金证科技股份有限公司 | ID information automatic acquisition method and device |
| CN106911627A (en) * | 2015-12-22 | 2017-06-30 | 中国科学院软件研究所 | A kind of true identity method of controlling security and its system based on eID |
| CN107645504A (en) * | 2017-09-26 | 2018-01-30 | 泰康保险集团股份有限公司 | Authorization method, device and the equipment of mailbox system |
| CN110071809A (en) * | 2019-04-24 | 2019-07-30 | 汇智点亮科技(北京)有限公司 | Virtual and true identity and its associate management system and method, device and medium |
| CN111130798A (en) * | 2019-12-24 | 2020-05-08 | 中国平安人寿保险股份有限公司 | Request authentication method and related equipment |
| CN111147740A (en) * | 2019-12-27 | 2020-05-12 | 青岛海信智慧家居系统股份有限公司 | Method and device for controlling intelligent camera |
| CN111324875A (en) * | 2020-02-17 | 2020-06-23 | 支付宝(杭州)信息技术有限公司 | User data operation authority control and account management method, device and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805336A (en) * | 2005-01-12 | 2006-07-19 | 北京航空航天大学 | Single entering method and system facing ASP mode |
| CN101043338A (en) * | 2007-04-27 | 2007-09-26 | 中国科学院软件研究所 | Safety requirement based remote proving method and system thereof |
| EP1975837A1 (en) * | 2007-03-30 | 2008-10-01 | Accenture Global Services GmbH | Non-repudiation for digital content delivery |
-
2010
- 2010-12-07 CN CN 201010588222 patent/CN102025741B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805336A (en) * | 2005-01-12 | 2006-07-19 | 北京航空航天大学 | Single entering method and system facing ASP mode |
| EP1975837A1 (en) * | 2007-03-30 | 2008-10-01 | Accenture Global Services GmbH | Non-repudiation for digital content delivery |
| CN101043338A (en) * | 2007-04-27 | 2007-09-26 | 中国科学院软件研究所 | Safety requirement based remote proving method and system thereof |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891832A (en) * | 2011-07-20 | 2013-01-23 | 腾讯科技(深圳)有限公司 | ID (Identity) binding method and system |
| CN102891832B (en) * | 2011-07-20 | 2015-11-25 | 腾讯科技(深圳)有限公司 | Identify label binding method and system |
| CN102611705A (en) * | 2012-03-20 | 2012-07-25 | 广东电子工业研究院有限公司 | General calculation account management system and realization method thereof |
| CN106911627A (en) * | 2015-12-22 | 2017-06-30 | 中国科学院软件研究所 | A kind of true identity method of controlling security and its system based on eID |
| CN106911627B (en) * | 2015-12-22 | 2019-09-17 | 中国科学院软件研究所 | A kind of true identity method of controlling security and its system based on eID |
| CN105654386A (en) * | 2016-01-07 | 2016-06-08 | 深圳市金证科技股份有限公司 | ID information automatic acquisition method and device |
| CN107645504A (en) * | 2017-09-26 | 2018-01-30 | 泰康保险集团股份有限公司 | Authorization method, device and the equipment of mailbox system |
| CN110071809A (en) * | 2019-04-24 | 2019-07-30 | 汇智点亮科技(北京)有限公司 | Virtual and true identity and its associate management system and method, device and medium |
| CN111130798A (en) * | 2019-12-24 | 2020-05-08 | 中国平安人寿保险股份有限公司 | Request authentication method and related equipment |
| CN111130798B (en) * | 2019-12-24 | 2023-07-25 | 中国平安人寿保险股份有限公司 | Request authentication method and related equipment |
| CN111147740A (en) * | 2019-12-27 | 2020-05-12 | 青岛海信智慧家居系统股份有限公司 | Method and device for controlling intelligent camera |
| CN111324875A (en) * | 2020-02-17 | 2020-06-23 | 支付宝(杭州)信息技术有限公司 | User data operation authority control and account management method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025741B (en) | 2013-06-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102025741B (en) | Trusted identity service platform with two-layer framework and construction method thereof | |
| CN105162602B (en) | A kind of trustable network Identity Management and verification system and method | |
| Brown et al. | Social networks and context-aware spam | |
| US7970858B2 (en) | Presenting search engine results based on domain name related reputation | |
| CN102006299B (en) | Trustworthy internet-oriented entity ID (Identity)-based ID authentication method and system | |
| Hu et al. | Parking management: A blockchain-based privacy-preserving system | |
| CN107579998A (en) | Personal data center and digital identification authentication method based on block chain, digital identity and intelligent contract | |
| Panda et al. | A blockchain based decentralized authentication framework for resource constrained iot devices | |
| CN103607416B (en) | A kind of method and application system of the certification of network terminal machine identity | |
| US20080028443A1 (en) | Domain name related reputation and secure certificates | |
| US20080022013A1 (en) | Publishing domain name related reputation in whois records | |
| US20100174795A1 (en) | Tracking domain name related reputation | |
| CN104052616B (en) | The method and system that a kind of business in Internet data center is managed | |
| CN108667612A (en) | A kind of trust service framework and method based on block chain | |
| WO2007005919A2 (en) | System and method for security in global computer transactions that enable reverse-authentication of a server by a client | |
| CN107835176A (en) | A kind of network authentication method and platform based on eID | |
| CN105791259B (en) | A kind of method of personal information protection | |
| CN106375308A (en) | Hybrid cloud-oriented cross-cloud user authentication system | |
| CN106992988A (en) | A kind of cross-domain anonymous resource sharing platform and its implementation | |
| CN106921481A (en) | A kind of system and method for tenant's division and purview certification based on PKI | |
| CN110298152A (en) | It is a kind of protection privacy of user and system safety line on identity management method | |
| US20100036946A1 (en) | System and process for providing online services | |
| CN109816386A (en) | Data get through method on a kind of chain of the unified identity authentication based on block chain | |
| CN116250210A (en) | Methods, apparatus, and computer readable media for authentication and authorization of networked data transactions | |
| CN106060097B (en) | A kind of management system and management method of information security contest |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130605 Termination date: 20211207 |